CVE-2026-33532

Name of the Vulnerable Software and Affected Versions yaml versions prior to 1.10.3 yaml versions prior to 2.8.3

Description The yaml library is susceptible to a stack overflow when parsing YAML documents. The issue occurs during the node resolution/composition phase, which uses recursive function calls without a depth limit. An attacker providing malicious YAML input, approximately 2–10 KB in size, can trigger a RangeError: Maximum call stack size exceeded. This error is not a YAMLParseError, potentially leading to unexpected exceptions in applications that only handle YAML-specific errors. The impact can range from request failures to the termination of the Node.js process. Flow sequences, with their minimal byte overhead per nesting level, facilitate deep nesting and exacerbate the problem. The library's Parser (CST phase) is not affected, as it employs an iterative, stack-based approach. The affected APIs include YAML.parse(), YAML.parseDocument(), and YAML.parseAllDocuments().

Recommendations Versions prior to 1.10.3: Upgrade to version 1.10.3 or later. Versions prior to 2.8.3: Upgrade to version 2.8.3 or later.